GroupBlog – Exchange, PowerShell, AD, Outlook etc.

Menu

Category Archives: Mail Flow

I have found, that on of my customer domains have problem to send messages outside their environment. Some messages got stuck in queue for several hours / days without any reason to do so. SMTP traffic was OK to most of other domains, but some had problem. I suspect, that the reason was more SPF TXT records for single domain. Example:

3.1.2. Multiple DNS Records: A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record. See Section 4.5 for the selection rules.

Explanation is quite logical. If there is more than one SPF record, permanent error is returned.

4.5. Selecting Records
Records begin with a version section:
record = version terms *SP
version = "v=spf1"
Starting with the set of records that were returned by the lookup,
record selection proceeds in two steps:
1. Records that do not begin with a version section of exactly
"v=spf1" are discarded. Note that the version section is
terminated either by an SP character or the end of the record. A
record with a version section of "v=spf10" does not match and must
be discarded.
2. If any records of type SPF are in the set, then all records of
type TXT are discarded.
After the above steps, there should be exactly one record remaining and evaluation can proceed. If there are two or more records remaining, then check_host() exits immediately with the result of "PermError".
If no matching records are returned, an SPF client MUST assume that
the domain makes no SPF declarations. SPF processing MUST stop and
return "None".

Well. The cause of this “implementation” is, that some messages from domain containing wrong SPF record to domain with SPF check might be lost (-All) or delayed. I am going to investigate this further. If you have some experience with similar problem, please let me know.

I have recently came accross the problem. One of my customers had wrong setting of no reply e-mail address and messages got lost between on-premise hub transport servers and Symantec cloud in the way, that it appeared message has been sent successfully, but dropped on Symantec side without notification.

Wrong settings:

All noreply email addresses has been set in MailContact object as follows: smtp:noreply@accepteddomain1.com,smtp:noreply@accepteddomain2.com …. SMTP:noreply@noreply.xxx and ExternalEmailAddress: noreply@noreply.xxx.

I have had to renew SMTP certificate on EDGE servers. Here is the procedure how to renew certificate and re-create Edge subscription. This procedure starts,when CSR is created and we have received certificate from trusted CA.

1. Import new certificate To import certificate to local certification store run:

3. Enable new Exchange certificate for SMTP service Before certificate can be used, it must have been enabled for particular services.

Enable-ExchangeCertificate -services SMTP

Result:

[PS] C:\Windows\system32>Enable-ExchangeCertificate 81315B240A62B5B5AD5570AA58A06D90B4B90B7E -Services SMTP
Confirm
Overwrite the existing default SMTP certificate?
Current certificate: 'C661DC9E16FB391EDA2A852C3514AD035D710F68' (expires 4/27/2013 2:59:59 AM)
Replace it with certificate: '81315B240A62B5B5AD5570AA58A06D90B4B90B7E' (expires 4/28/2014 2:59:59 AM)
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.
[PS] C:\Windows\system32>

4. Restart transport service and AD LDS service At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

[PS] C:\Windows\system32>New-EdgeSubscription -FileName d:\subscription_2013.xml -Site Default-First-Site-Name -CreateIternetSendConnector $false -CreateInboundSendConnector $false
Confirm
The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y

6. Subscribe EDGE server on HUB by subscription file (XML). We need to re-create trusted connection between Edge server and HUB servers. Subscribtion needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subsciption.